如何保護應用程式資料How you can protect app data

您的員工使用行動裝置處理公私事務。Your employees use mobile devices for both personal and work tasks.確保員工生產力的同時，也要防止故意和不小心的資料外洩。While making sure your employees can be productive, you also want to prevent data loss, intentional and unintentional.此外，即使您並不管理裝置，您也想要保護使用裝置所存取的公司資料。In addition, you want to have the ability to protect company data accessed using devices even in the case where they are not managed by you.

您可以使用 Intune 應用程式保護原則來協助保護您公司的資料。You can use Intune app protection policies to help protect your company’s data.因為 Intune 原則可自外於任何行動裝置管理 (MDM) 解決方案之外，所以無論裝置是否在裝置管理解決方案中註冊，都可以這些原則來保護公司資料。Because Intune app protection policies can be used independent of any mobile-device management (MDM) solution, you can use it to protect your company’s data with or without enrolling devices in a device management solution.您可以實作應用程式層級原則，以限制存取公司資源，並將資料保留在 IT 部門範疇內。By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

裝置上執行可以設定應用程式保護原則的應用程式包括：App protection policies can be configured for app running on devices that are:

行動裝置應用程式管理原則不應搭配使用協力廠商的行動裝置應用程式管理或安全容器解決方案。Mobile app management policies should not be used with third party mobile app management or secure container solutions.

未註冊任何行動裝置管理解決方案︰此類別中的裝置通常是員工所擁有的裝置，且沒有在 Intune 或其他 MDM 解決方案中受到管理或註冊。Not enrolled in any mobile device management solution: The devices in this category are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.

使用應用程式保護原則的重要優點包括：The important benefits of using App protection policies are

在應用程式層級保護公司資料。Protecting your company data at the app level.因為行動裝置應用程式管理不需要裝置管理，所以您可以保護受管理和不受管理裝置上的公司資料。Since mobile app management does not require device management, you can protect company data on both managed and unmanaged devices.管理的重心是使用者身分識別，不需要管理裝置。The management is centered on the user identity, which removes the requirement for device management.

使用者生產力不受影響，在個人領域內使用應用程式時不套用原則。End user productivity is not impacted, and the policies are not applied when using the app in a personal context.原則只會套用在公務內容上，所以您能夠在不碰到個人資料的情況下保護公司資料。The policies are applied only in a work context, thus giving you the ability to protect company data without touching personal data.

並用 MDM 與應用程式保護原則還有其他多項優點，而且公司可以同時在使用或不使用 MDM 的狀況下使用應用程式保護原則。There are additional benefits to using MDM with App protection policies, and companies can use both App protection policies with and without MDM at the same time.例如，員工可能使用公司核發的手機，也可以使用及個人的平板電腦。For example, an employee may use a phone issued by the company as well as a personal tablet.在此情況下，公司的手機會在 MDM 中註冊，並受到 MAM 原則的保護，而個人裝置只會受到 MAM 原則的保護。In this case, the company phone is enrolled in MDM and protected by App protection policies, and the personal device is protected by App protection policies only.

MDM 確保裝置受到保護。MDM makes sure that the device is protected.例如，您可以要求存取裝置的 PIN，或者將受管理的應用程式部署到裝置。For example, you can require a PIN to access the device, or you can deploy managed apps to the device.也可以透過 MDM 解決方案將應用程式部署到裝置，取得對應用程式管理的更多控制。You can also deploy apps to devices through your MDM solution, to give you more control over app management.

應用程式保護原則可確保應用程式層保護完全就位。App protection policies makes sure that the app-layer protections are in place.例如，如果資料可以在應用程式間共用，您可以要求在公務內容中開啟應用程式的 PIN，或防止公司應用程式資料儲存到個人的存放位置。For example, you can require a PIN to open an app in a work context, or if data can be shared between apps, or preventing company app data from being saved to a personal storage location.

應用程式保護原則如何保護應用程式資料How app protection policies protect app data

沒有應用程式保護原則的應用程式Apps without app protection policies

在沒有條件限制下使用應用程式時，公司和個人資料會互相混合。When apps are used without restrictions, company and personal data can get intermingled.公司資料最終可能放在個人存放裝置或傳送到外部應用程式，導致資料外洩。Company data could end up in locations like personal storage or transferred to apps outside of your purview, resulting in data loss.圖中的箭號顯示資料在應用程式 (公司和個人) 之間無限制移動和移至儲存體位置。The arrows in the diagram show unrestricted data movement between apps (corporate and personal) and to storage locations.

使用應用程式保護原則保護資料Data protection with app protection policies

您可以使用應用程式保護原則禁止將公司資料儲存到裝置的本機儲存體，以及限制資料不得移至不受應用程式保護原則保護的其他應用程式。You can use App protection policies to prevent company data from saving to the local storage of the device, and restrict data movement to other apps that are not protected by App protection policies.應用程式保護原則設定包括︰App protection policy settings include:

抹除應用程式中的公司資料，但不從裝置移除這些應用程式Wipe company data from apps without removing those apps from the device

在未註冊的裝置上使用資料保護原則保護資料Data protection with app protection policies for devices without enrollment

上圖顯示不使用 MDM 時資料保護原則在應用程式層級上的運作方式。The diagram above illustrates how the data protection policies work at the app level without MDM.

對於未在任何 MDM 解決方案中註冊的 BYOD 裝置，應用程式保護原則可在應用程式層級保護公司資料。For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level.但有一些限制需要注意，例如：However, there are some limitations to be aware of, like:

您無法將應用程式部署到裝置。You cannot deploy apps to the device.使用者必須從存放區取得應用程式。The end user has to get the apps from the store.

多重身分識別Multi-identity

當應用程式保護原則只有在工作環境中使用應用程式時才會套用，支援多重身分識別的應用程式讓您能夠使用不同的帳戶 (工作和個人) 來存取相同的應用程式。Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies are applied only when the apps are used in the work context.

例如，當使用者使用其工作帳戶啟動 OneDrive 應用程式，他們無法將檔案移動至個人存放區位置。For example, when a user starts the OneDrive app by using their work account, they can't move the files to a personal storage location.不過，當使用者以個人帳戶使用 OneDrive 時，他們可以從個人 OneDrive 複製並移動資料，而沒有任何限制。However, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

接下來的步驟Next steps

The feedback system for this content will be changing soon. Old comments will not be carried over. If content within a comment thread is important to you, please save a copy. For more information on the upcoming change, we invite you to read our blog post.